In this section, you will set up two SAML2 scenarios with eXo Platform and Salesforce:
Note
Configurations and UI at Salesforce side can be changed by Salesforce and may depend on your Salesforce edition and license. If you have problems when following the instruction here, please consult Salesforce support and documentation, and leave a feedback to help us keep eXo documentation up-to-date.
In this guideline, let's assume that you start from the beginning and register a free Salesforce developer account to test, as follows:
Sign up at http://developer.force.com/.
Set up your domain by selecting → → .
Configuring Salesforce as SAML2 SP
Set up SSO by clicking → → , then select Edit and check SAML Enabled.
Create a new SAML Single Sign-On Setting and complete the screen as below:
Issuer: The eXo Platform IDP URL, like http://www.idp.com:8080/portal/dologin.
SAML Identity Type: Select Assertion contains the Federation ID from the User object.
SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
Identity Provider Login(/Logout) URL: http://www.idp.com:8080/portal/dologin.
Entity ID: Now, it should be https://saml.salesforce.com.
Certificate: Export a
.crtfile from your keystore to be uploaded here. The command to export:keytool -export -keystore secure-keystore.jks -alias secure-key -file test-certificate.crt
Note
If you are using default
jbid_test_keystore.jks(for testing only), the keystore password is store123 and the security alias is servercert.
Back to the My Domain screen and edit the Login Page Branding section. Check your SSO Setting item(s) in the Authentication Service.
The default "Login Page" allows you to log in Salesforce in case the IDP is not available, so it is safe in testing. Depending on Salesforce, you may have the ability to enable/disable SSO for individual users (via User Profile and Permission Set). For now, do not uncheck Login Page.
Configurations at eXo Platform
Configure eXo Platform IDP as described in eXo Platform as SAML2 IDP. Then update
gatein.sso.sp.domainsandgatein.sso.sp.hostas below:gatein.sso.sp.domains=salesforce.com
gatein.sso.sp.host=saml.salesforce.com
Add a trusted domain by modifying the
$PLATFORM_IDP/standalone/configuration/gatein/saml2/picketlink-idp.xmllike:<IdentityURL>http://www.idp.com:8080/portal/dologin</IdentityURL>
<Trust>
<Domains>${gatein.sso.sp.domains},saml.salesforce.com</Domains>
</Trust>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="${gatein.sso.picketlink.keystore}"/>
................
................
<ValidatingAlias Key="saml.salesforce.com" Value="salesforce-cert"/>
</KeyProvider>
<MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
<Option Key="FileName" Value="/WEB-INF/conf/sso/saml/sp-metadata.xml"/>
</MetaDataProvider>
"
salesforce-cert" is the alias that you will import to your keyfile in later step.
Note
On Windows, you should use the absolute link to the keystore file, instead of using
${gatein.sso.picketlink.keystore}.Download SP Metadata file from your Salesforce SSO Setting page, by clicking Download Metadata. See the screenshot below:
Save the file as
WEB-INF/conf/sso/saml/sp-metadata.xmlinside$PLATFORM_IDP/standalone/deployments/platform.ear/exo.portal.web.portal.war. Then addEntitiesDescriptoras root tag of this xml file. Now, this file will look like:<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<md:EntityDescriptor entityID="https://saml.salesforce.com" validUntil="2025-01-09T02:22:00.551Z">
....
</md:EntityDescriptor>
</md:EntitiesDescriptor>
Finally, update
AuthnRequestsSigned="true"toAuthnRequestsSigned="false"and save it again.Download and import Salesforce client certificate.
The link to download the new certificate should be found at this page. At the moment, you can use this link: http://s3.amazonaws.com/dfc-wiki/en/images/3/34/New_proxy.salesforce.com_certificate_chain.zip. Download and unzip it, you will see a file named
proxy-salesforce-com.123.Import the certificate into your keystore file with the command below:
keytool -import -keystore secure-keystore.jks -file proxy-salesforce-com.123 -alias salesforce-cert
Testing the scenario
Create some users in Salesforce and eXo Platform IDP for testing. The users mapping uses Federation ID, that means the username "john" in eXo Platform must be the same as the Federation ID "john" in Salesforce.
Log out Salesforce, then re-login using your domain (https://exodoc-dev-ed.my.salesforce.com/ for example).
Now, you will see a link to IDP Login page in the login screen, like "eXo Doc SSO" (Name of your Salesforce SSO Setting above) in the screenshot:
Click the link. You will be redirected to the eXo Platform login screen.
Log in as one of testing users. You will get access to your Salesforce domain.
Note
Remember to disable SSO if you have enabled as described in Configuring Salesforce as SAML2 SP.
Configuring Salesforce as SAML2 IDP
Enable Identity Provider by clicking → → , then click Enable Identity Provider.
Accept the default certificate by clicking Save. You can change it later if you need.
Create Connected Apps, as follows:
i. Click the link in the Service Providers section:
ii. Fill in all required information. In the Web App Settings section, check Enable SAML and complete the following information:
Entity ID: The SP login URL, like http://www.sp.com:8080/portal/dologin.
ACS URL: The URL of the Assertion Consumer Service. In this scenario, it is http://www.sp.com:8080/portal/dologin too.
Subject Type: Select Federation ID.
Name ID Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
Issuer: Use your domain like https://exodoc-dev-ed.my.salesforce.com.
Note
You can also create Connected Apps by selecting → → .
Make sure your connected application can be accessed by users who have the "Standard Platform User" profile, as follows:
i. Click → .
ii. Find your app and click to view it. In the Profiles section, you can manage Profiles that have access to your app. At this time, make sure you see the "Standard Platform User" because this is needed for testing later.
Configurations at eXo Platform
Configure eXo Platform as described in eXo Platform as SAML2 SP. Notice some values below:
gatein.sso.idp.host=exodoc-dev-ed.my.salesforce.com gatein.sso.idp.url=https://exodoc-dev-ed.my.salesforce.com/idp/endpoint/HttpPost gatein.sso.sp.url=http://www.sp.com:8080/portal/dologin
Add the below lines to
$PLATFORM_SP/standalone/configuration/gatein/saml2/picketlink-sp.xml:<Auth Key="KeyStoreURL" Value="${gatein.sso.picketlink.keystore}"/>
..........
<ValidatingAlias Key="exodoc-dev-ed.my.salesforce.com" Value="salesforce-idp"/>
Note
On Windows, you should use the absolute link to the keystore file, instead of using
${gatein.sso.picketlink.keystore}.Download and import Salesforce IDP certificate to your keystore. The Salesforce IDP certificate is downloaded from the Identity Provider page:
The command to import looks like this:
keytool -import -keystore secure-keystore.jks -file SelfSignedCert_27Nov2013_105525.crt -alias salesforce-idp
Note that if you are using the default
jbid_test_keystore.jks, the store password is store123.
Testing the scenario
Create some users in Salesforce and eXo Platform SP for testing. The users mapping uses Federation ID, that means the username "john" in eXo Platform must be the same as the Federation ID "john" in Salesforce. Also, make sure the Salesforce user has the "Standard Platform User" profile (to have access to the Connected App, as explained before).
Now, access eXo Platform. You will be redirected to the Salesforce login page. After getting authenticated with Salesforce username (like john@example.com), you get access to eXo Platform.